Misconfigured Server Leaks Oklahoma Department of Securities Data

A storage server configured for public access was found to expose terabytes of data belonging to the Oklahoma Department of Securities, UpGuard reveals.

The server was found on December 7 and Oklahoma was notified of the exposure on December 8, when public access was removed. While it’s uncertain for how long the data store was exposed, the server first appeared on Shodan (a search engine for Internet-facing IP addresses) on November 30.

The data on the server totaled three terabytes and millions of files, containing personal information, system credentials, internal documentation, and communications intended for the Oklahoma Securities Commission, among others.

“The amount, and reach, of administrative and staff credentials represents a significant impact to the Oklahoma Department of Securities’ network integrity,” UpGuard says.

While analyzing the exposed data, UpGuard security researchers discovered that it was generated over the course of three decades, “with the oldest data originating in 1986 and the most recent modified in 2016.”

The server was exposed because of an unsecured rsync service at an IP address registered to the Oklahoma Office of Management and Enterprise Services, which allowed any user worldwide to download all of the stored files.

The researchers also note that the website for the Securities Commission uses outdated software, such as the web server IIS 6.0, which reached end of life in July 2015, which also represents a major security risk.

The researchers found email backups from 1999 to 2016 on the server, and note that these PST files often include plaintext passwords, images of identification cards, tax documents, and internal strategic deliberations.

“Storing backups of email mailboxes is a common practice required by data detention policies. The contents of those backups rarely includes concentrated sensitive data, like in a user database, but over the course of thousands of emails people invariably reveal information intended to be private,” UpGuard notes.

One database included information on around ten thousand brokers, including their social security numbers. A CSV file contained date of birth, state of birth, country of birth, gender, height, weight, hair color, and eye color for over a hundred thousand brokers.

Credentials found on the server included VNC credentials for remote access to Department of Securities workstations, a BlueExpress database of credentials for third parties submitting securities filings, and a spreadsheet of IT services with the usernames and passwords for accounts with Thawte, Symantec Protection Suite, Tivoli, and others.

UpGuard also notes that “the scale of the data makes it impractical to perform any kind of exhaustive documentation of the exposed information.”

“Leaking three terabytes of the FBI’s data due to leaving a server unsecured without a password is a critical error and indicates the need for the Oklahoma Securities Commission, as well as other government agencies, to strengthen their current security measures to ensure future breaches can be avoided in the first place,” Jonathan Bensen, interim CISO and senior director of product management, Balbix, told SecurityWeek in an emailed comment.

“Leaving a database containing such critical information unsecured is an elementary mistake for which there is no excuse,” Bensen added.

Matan Or-El, co-founder and CEO of Panoarays, commented, “Data security is not necessarily always about protecting from attackers; quite often it’s about protecting against mistakes. The Oklahoma data leak is the latest in a long series of incidents in which sensitive data was exposed to the internet by mistake, where anyone could access it. By continuously monitoring the attack surface of an organization, one can learn a lot about the security and data hygiene practices of an organization.